Topic: how to stop email spam

[savolkis]

Hello,
My server was added to the blacklist because of email spam, i think there is a virus hiding on my server, tried to scan with sme anti virus system and doesnt helped me at all. Well i need advice, how to remove or block this email virus, and take out my server from blacklist.

OS: Linux
SME Server 8.0

[Stefano]

I think you likely have a pc client with a virus..

or, alternatively, a broken/hacked web app on your server

since we don't know anything about your server and your lan configuration, it's up to you to investigate..

first of all, disconnect SME/your lan from WAN

[savolkis]

well i can tell u that i can see email logs using sme server, and there is main sender 'annonymous'. If virus is not in the server, can u give me advice how to find virus location?

[Stefano]

well i can tell u that i can see email logs using sme server, and there is main sender 'annonymous'. If virus is not in the server, can u give me advice how to find virus location?

you miss to tell us what's running on your server.. do you have any web app (joomla, wordpress, whatever) running on your server and exposed to wan?

is your server in server only or server and gateway mode?

is there any pc on your lan?

we don't know anything about your setup, you are our eyes.. it's up to you to give us as much details as you can..

in other words, help us to help you, thank you

[savolkis]

Ok.
1. I have 8 websites which is designed using joomla 2.5

2. server and gateway mode

3. yes, where is 5pcs on same lan

[Stefano]

ok, then

- disconnect your server from WAN
- do a full AV scan on your pc.. use an anti malware and anti rootkit too
- ensure your joomlas are up to date and there are no known issues with your setup/modules/plugin
- post here some email logs with "anonymous" sender

[janet]

savolkis

Look in the qpsmtpd or sqpsmtpd log files in server manager to see where the bad emails are coming from.

If it looks to be a workstation or workstation user, then disconnect that workstation from the network.
Update your workstation virus scanners & start doing full virus scans on them, one at a time with each workstation disconnected from the network.

If the source appears to be a web app, then disable the app or disable access to the ibay or otherwise disable access to that site & see if the errant email flow stops.
You may have to experiment & stop each website one after each other to see the response (ie no more bad email flow).

Check & see if the exact version of Joomla being used on each site is up to date and/or has any known security issues.
Keep all web apps regularly updated, & update the version of Joomla you are now using.

You really have to provide much more detailed information than what you are providing ie get info from log files etc.

If you do not know how to do this & do not know how to troubleshoot this issue, then you really need to engage a consultant.

As mentioned you really need to disconnect the server from the Internet until you start to disable some sites or infected workstations etc. When you find the source of the problem, then you can reconnect the server. The longer you leave your server sending spam etc, then the more entrenched your server becomes on blacklists & the harder it becomes to get your server off blacklists, so act immediately.

[Frank VB]

About a year ago another forum user also had a spam run, he posted his analysis in this post:

http://forums.contribs.org/index.php?topic=49785.0

He summarized his actions in reply #13.

Although in that case a Wordpress installation was compromised, it contains some good pointers to help you finding the cause of your spamming problem.

Good luck!

[savolkis]

hey again, ill try to give u more info. First of all wanna start about one guy which had similiar issue, but problem isnt the same, and mine opt folder is clear. Someone said to update joomla, well i cant update because some of them runing on 1.6 version others on 2.5.17 versions, if i update, template will fucked up.

I go to my sme server control panel -> mail log files analysis -> sender statistics -> where i can see 4-5 times annonymous as sender i picked one.
----------------------
mess     bytes    sbytes       rbytes    recips  tries       xdelay      sender
480   2249084   1705276   2249084     480    548  4963.588321  102/<anonymous@kompiuteriai.eu>
  21     28561     23710     28561          21     21     1.114462    400/<anonymous@kompiuteriai.eu>
  20     21240     21240     21240          20     20     1.588546    407/<anonymous@kompiuteriai.eu>
----------------------
I want to ask janet where i can find qpsmtpd or sqpsmtpd log files

p.s. I activated spam control, for few days looks like silence. Btw where is any program to see mailing trafic? when i can spot on what time that happened, and at least known an issue, maybe its not server problem, and spam goes from infected pc

[Charles2008]

where i can find qpsmtpd or sqpsmtpd log files

From the thread that Frank VB refers to, Holck says:

"But first, of course, you need to make sure that none of your clients are infected. Scan through /var/log/qpsmtpd/current and /var/log/sqpsmtpd/current    ... "

Code: [Select]

nano /var/log/qpsmtpd/current
I presume that this is what you are looking for.

[Frank VB]

Someone said to update joomla, well i cant update because some of them runing on 1.6 version others on 2.5.17 versions, if i update, template will fucked up.

You're running Joomla 2.5.17. Latest version of the 2.5 branch is 2.5.19. So you should at least upgrade your 2.5.17 installation to version 2.5.19. This is a minor upgrade, it won't ruin your templates. BTW, you have a test server for testing Joomla upgrades, don't you?

About Joomla 1.6: latest version is 1.6.6 but this version isn't supported anymore by Joomla IIRC. You should at least upgrade to 1.6.6. Upgrade to 2.5 or 3.2 better still.

Also check additional components and modules you've installed on your Joomla site for upgrades.

[savolkis]

From the thread that Frank VB refers to, Holck says:

"But first, of course, you need to make sure that none of your clients are infected. Scan through /var/log/qpsmtpd/current and /var/log/sqpsmtpd/current    ... "

Code: [Select]

nano /var/log/qpsmtpd/current
I presume that this is what you are looking for.

For my eyes it looks fine, i can make screenshot if its necesary

You're running Joomla 2.5.17. Latest version of the 2.5 branch is 2.5.19. So you should at least upgrade your 2.5.17 installation to version 2.5.19. This is a minor upgrade, it won't ruin your templates. BTW, you have a test server for testing Joomla upgrades, don't you?

About Joomla 1.6: latest version is 1.6.6 but this version isn't supported anymore by Joomla IIRC. You should at least upgrade to 1.6.6. Upgrade to 2.5 or 3.2 better still.

Also check additional components and modules you've installed on your Joomla site for upgrades.

I dont think that would solve my problem, because old webepages isnt updated for long time, and email issue comes to me few months ago, most recent update page was my main page which is located on primary dir. i need smth to follow my email trafic.

[janet]

savolkis

For my eyes it looks fine.....

You can more easily read the log files in the GUI Server manager, View log files panel.

You are not looking to see if qpsmtpd or sqpsmtpd looks fine, you are looking to see the source of emails, so you need to examine each message carefully, to try & determine what machine or source or user the email was sent from.

There have been previous examples of this shown in the forums, refer to other thread mentioned & search forums on header.

[savolkis]

savolkis

You can more easily read the log files in the GUI Server manager, View log files panel.

You are not looking to see if qpsmtpd or sqpsmtpd looks fine, you are looking to see the source of emails, so you need to examine each message carefully, to try & determine what machine or source or user the email was sent from.

There have been previous examples of this shown in the forums, refer to other thread mentioned & search forums on header.

yes, where is only my internet provider emails, and cant see any others.

[janet]

savolkis

Have you ran full virus scans on your 5 LAN PC's ?

Are your PC email clients configured to send mail via the sme servers smtp server or are they sending directly to your ISPs smtp server ?
Check what the outgoing server setting is (in each of your PC's email clients) to determine this.
If mail is bypassing the sme server then the problem is more than likely with your PC's.

Also are you using secure connections to the server using ports 993 & 465 (for IMAP), different ports for POP etc. Again check your PC email clients for these settings.
You should use secure SSL connections to the sme mail server to prevent unauthorised users or robots or viruses from injecting mail into sme server.

You need to send a test message from each PC one by one, noting the time it was sent, & then identify that message in the qpsmtpd/current or sqpsmtpd/current log file. Then you will see details of each PC & user that has logged in to the mail system on your sme server.
When you know what you are looking for, you can then start scouring/searching the mentioned log files for evidence of spam or virus laden messages being sent through your server.

Is anonymous@kompiuteriai.eu associated with your sme server ?
Is that a valid user, is that your domain name ?

The log files I advised you to look at are where you will see all email messages being sent & received via your server, you need to look harder & more carefully.

Also you said you enabled spam control, exactly what did you enable & where ?
Why do you say that there was "silence", how do you know that.
Your original issue is that you were blacklisted by other mail servers/RBL lists, so therefore that causes your outgoing mail not to be delivered.
What makes you believe that enabling spam control caused that blacklisting situation to change.

Also what blacklist was your server on, how do you know that ?

Please slowly answer all questions & provide all answers.

[savolkis]

Have you ran full virus scans on your 5 LAN PC's ? / Yes

Are your PC email clients configured to send mail via the sme servers smtp server or are they sending directly to your ISPs smtp server ? / Yes

Is anonymous@kompiuteriai.eu associated with your sme server ? / Yes

Is that a valid user, is that your domain name ? / No and yes its my domain name (kompiuteriai.eu)

Also you said you enabled spam control, exactly what did you enable & where ? / Configuration -> Email -> email filtering settings -> enabled (virus scan, spam filtering, spam sensitivity, sens. level 4)

Why do you say that there was "silence", how do you know that. / Because i dont see any emails going out from the server

What makes you believe that enabling spam control caused that blacklisting situation to change. / Because atm we r out of blacklist, also i can think my server could send junk emails because of another infected computer which im repairing and connecting to my lan to get drivers and other stuff. My job is computer engineering, and ive got alot infected computers, that could be a reason of black list too.

Also what blacklist was your server on, how do you know that ? / Ive got email message from "senderscore.org" about my email spam, and they add my server to the blacklist, after i made changes also updated my sme server, i write a message to remove me from the list, and they did, so for now im out of the list, i cant say its fine 100% but at this time, i dont see any spam messages.

[janet]

savolkis

What makes you believe that enabling spam control caused that blacklisting situation to change. / Because atm we r out of blacklist, also i can think my server could send junk emails because of another infected computer which im repairing and connecting to my lan to get drivers and other stuff. My job is computer engineering, and ive got alot infected computers, that could be a reason of black list too.

You should have secure SSL only connections for email enabled in server manager, to prevent virus engines from accessing your sme server smtp server. I notice you did not answer that question.

You really need to take more care if connecting virus infected computers to your LAN, it's NOT  a good idea. You should scan for viruses & remove them from any PC BEFORE  connecting to your LAN. Update them via USB. At least temporarily disable the sme server smtp server and qpsmtpd & sqsmtpd when connecting new "unknown" computers.

You are really wasting our time troubleshooting your own self created problems.

Please think more wisely before connecting any client computer.

[Xavier.A]

@savolkis
ok, what i understood by reading this post is that you are not an IT security engineer

To start a forensic search you can :

Code: [Select]

whois kompiuteriai.eu
Domain: kompiuteriai

Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for webbased whois.

Reseller:

Technical:
Name: IV Hostmaster
Organisation: UAB "Interneto vizija"
Language: lt
Phone: +370.52324444
Fax: +370.52077944
Email: hostmaster@iv.lt

Registrar:
Name: UAB "Interneto vizija"
Website: www.iv.lt

Name servers:
ns1.serveriai.lt
ns2.serveriai.lt
ns3.serveriai.lt
ns4.serveriai.lt



Code: [Select]

dig kompiuteriai.eu
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> kompiuteriai.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51235
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;kompiuteriai.eu. IN A

;; ANSWER SECTION:
kompiuteriai.eu. 1783 IN A 62.80.233.104

;; Query time: 1075 msec


Code: [Select]

host 62.80.233.104
104.233.80.62.in-addr.arpa domain name pointer hst-233-104.splius.lt.

And after, you check if you are really blacklisted and why:

MXtoolbox : http://mxtoolbox.com/domain/kompiuteriai.eu/?source=findmonitors
https    kompiuteriai.eu    The Certificate is invalid
spf    kompiuteriai.eu    A Valid TXT Record was not found
spf    kompiuteriai.eu    A Valid SPF Record was not found
dns    kompiuteriai.eu    SOA Expire Value out of recommended range
smtp    aspmx.l.google.com    Warning - Reverse DNS does not match SMTP Banner
smtp    aspmx.l.google.com    5.508 seconds - Warning on Transaction Time

DNSWatch : http://www.dnswatch.info/dns/rbl-lookup?host=kompiuteriai.eu&submit=RBL+Lookup
Checked 62.80.233.104 against 142/142 RBLs.
IP 62.80.233.104 is listed in 0 Realtime Blacklist(s).

Spamhaus : http://www.spamhaus.org/lookup/
62.80.233.104 is not listed in the SBL
62.80.233.104 is not listed in the PBL
62.80.233.104 is not listed in the XBL
and
kompiuteriai.eu is not listed in the DBL
splius.lt is not listed in the DBL
hst-233-104.splius.lt is not listed in the DBL

TrendMicro : https://ers.trendmicro.com/reputations
IP:    62.80.233.104
Reputation:    Unlisted in the spam sender list
Listed in:    None

It seems your domain or your IP are not blacklisted !!!!

--/--

[Stefano]

It seems your domain or your IP are not blacklisted !!!!

so it seems to me but

Reverse DNS does not match SMTP Banner

could be a reason for mail to be blocked..

[Xavier.A]

could be a reason for mail to be blocked..

may be, but it is not because of infection, it's because of a misconfiguration and a low level in server administration knowledge 

==/==

[janet]

kid_of_leognan

Further analysis is irrelevant.

savolkis stated already that he fixed his server by implementing spam control measures & successfully requested his server be removed from the black list mentioned, so of course he no longer has the problem.
He also mentioned he deliberately connected infected workstations to his LAN, so the spamming from his server was as a result of his own unwise actions.

[savolkis]

Thank you guys for your advice and your time, for now it works fine and dont have any problems.

best regards.